When Shiro integrates JWT, what Shiro filter should be extend?

Question

When I want to integrate JWT with Shiro, I need to write a filter extend Shiro's filter class For example

AuthenticatingFilter

BasicHttpAuthenticationFilter

AccessControlFilter

I don't know which filter I should choose to extend,I'd like to ask about their differences. Thank you for your answer

Answer 1

Take a look at the docs: https://shiro.apache.org/web.html#default_filters (sorry for the RTFM)

Basically, each filter will process the data of the request differently,

• authcBasic - will use basic auth Authorization: Basic base64(username:password)
• authcBearer - a bearer token: Authorization: Bearer <token>
• authc - an HTML form post There are a few other ones, but hopefully that helps!

Answer 2

Sorry to say, but I don't really agree with Brian's answer here. The docs won't tell you much about the specialities of a JWT.

JWTs work differently than other (Bearer) tokens: They need to be parsed BEFORE entering the Realm, because they usually contain roles or other information. Traditional auth information on the other hand will be parsed later, using the Realm's CredentialsMatcher.

That said, you will need at least three classes:

• A JWT Realm (obviously)
• A JWT Filter (which verifies the JWT and extracts information as needed)
• ... as well as the Token class, as the SimpleAuthenticationToken does not hold enough information.

You will then need to add the new Filter to your shiro.ini's URL configuration and configure the realms.

You can see a full working example here: https://github.com/bmarwell/shiro-jwt-showcase. There's a full blog post explaining it: https://blog.bmarwell.de/2022/04/26/apache-shiro-jwt-authentication-jjwt.html

Disclaimer: I am also on the Shiro team and I authored both the linked GH repo and the blog post.